EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious File Write to SharePoint Layouts Directory

Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.

MITRE ATT&CK

T1190T1505.003
initial-accesspersistence

Detection Query

selection:
  Image|endswith:
    - \cmd.exe
    - \powershell_ise.exe
    - \powershell.exe
    - \pwsh.exe
    - \w3wp.exe
  TargetFilename|startswith:
    - C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\
    - C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\
  TargetFilename|contains:
    - \15\TEMPLATE\LAYOUTS\
    - \16\TEMPLATE\LAYOUTS\
  TargetFilename|endswith:
    - .asax
    - .ascx
    - .ashx
    - .asmx
    - .asp
    - .aspx
    - .bat
    - .cmd
    - .cer
    - .config
    - .hta
    - .js
    - .jsp
    - .jspx
    - .php
    - .ps1
    - .vbs
condition: selection

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-07-24

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.initial-accessattack.t1190attack.persistenceattack.t1505.003
Raw Content
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
    Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
    This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
    - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\w3wp.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
        TargetFilename|contains:
            - '\15\TEMPLATE\LAYOUTS\'
            - '\16\TEMPLATE\LAYOUTS\'
        TargetFilename|endswith:
            - '.asax'
            - '.ascx'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cmd'
            - '.cer'
            - '.config'
            - '.hta'
            - '.js'
            - '.jsp'
            - '.jspx'
            - '.php'
            - '.ps1'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high